From jr@opal.com  Mon Feb 18 17:03:21 2013
Return-Path: <jr@opal.com>
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
	by hub.freebsd.org (Postfix) with ESMTP id EC5623E9
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 18 Feb 2013 17:03:21 +0000 (UTC)
	(envelope-from jr@opal.com)
Received: from mho-01-ewr.mailhop.org (mho-03-ewr.mailhop.org [204.13.248.66])
	by mx1.freebsd.org (Postfix) with ESMTP id BF19D9B5
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 18 Feb 2013 17:03:21 +0000 (UTC)
Received: from pool-141-154-241-44.bos.east.verizon.net ([141.154.241.44] helo=homobox.opal.com)
	by mho-01-ewr.mailhop.org with esmtpsa (TLSv1:AES256-SHA:256)
	(Exim 4.72)
	(envelope-from <jr@opal.com>)
	id 1U7U7X-000NzK-EH
	for FreeBSD-gnats-submit@freebsd.org; Mon, 18 Feb 2013 17:03:15 +0000
Received: from shibato.opal.com (shibato.opal.com [IPv6:2001:470:8cb8:4:221:63ff:fe5a:c9a7])
	(authenticated bits=0)
	by homobox.opal.com (8.14.4/8.14.4) with ESMTP id r1IH3Crb015757
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 18 Feb 2013 12:03:14 -0500 (EST)
	(envelope-from jr@opal.com)
Received: from shibato.opal.com (localhost [127.0.0.1])
	by shibato.opal.com (8.14.5/8.14.5) with ESMTP id r1IH3B1g090565
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 18 Feb 2013 12:03:11 -0500 (EST)
	(envelope-from jr@opal.com)
Received: (from jr@localhost)
	by shibato.opal.com (8.14.5/8.14.5/Submit) id r1IH3Bum090564;
	Mon, 18 Feb 2013 12:03:11 -0500 (EST)
	(envelope-from jr)
Message-Id: <201302181703.r1IH3Bum090564@shibato.opal.com>
Date: Mon, 18 Feb 2013 12:03:11 -0500 (EST)
From: "J.R. Oldroyd" <fbsd@opal.com>
Reply-To: "J.R. Oldroyd" <fbsd@opal.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: euc locale input modifies data
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         176250
>Category:       bin
>Synopsis:       [libc] [patch] euc locale input modifies data
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb 18 17:10:00 UTC 2013
>Closed-Date:    
>Last-Modified:  Mon Feb 18 17:18:07 UTC 2013
>Originator:     J.R. Oldroyd
>Release:        FreeBSD 9.1-RELEASE amd64
>Organization:
>Environment:
System: FreeBSD xx.opal.com 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r244985: Tue Jan 8 10:51:13 EST 2013 jr@xx.opal.com:/usr/src/sys/amd64/compile/GENERIC amd64
>Description:
When reading an invalid multibyte data sequence while set to an euc locale,
e.g., ja_JP.eucJP, the src/lib/libc/locale/euc.c code will modify the bytes
read to ensure that the 0x8080 or 0x808080 bits are set.  This has the
effect of silently returning data other than that which was in the input.
There is then no way of detecting that the input sequence was invalid.

The correct behavior is to test that those bits are set, return the data
if they are, but return EILSEQ if not.

Fix is applicable to 10-current and 9-stable.  Please MFC.
>How-To-Repeat:
1. Create test file containing invalid euc multibyte characters such as:
	0xa440 0xac4f 0xb36f 0xcf20
2. Set locale to, e.g., ja_JP.eucJP.
3. Read characters from file using getwc().  Observe that what's read is:
	0xa4c0 0xaccf 0xb3ef 0xcfa0
>Fix:
--- src/lib/libc/locale/euc.c.orig	2013-01-02 19:26:36.000000000 -0500
+++ src/lib/libc/locale/euc.c	2013-02-17 15:51:58.000000000 -0500
@@ -215,7 +215,11 @@
 		es->ch = wc;
 		return ((size_t)-2);
 	}
-	wc = (wc & ~CEI->mask) | CEI->bits[set];
+	if (wc != ((wc & ~CEI->mask) | CEI->bits[set])) {
+		/* Invalid multibyte sequence */
+		errno = EILSEQ;
+		return ((size_t)-1);
+	}
 	if (pwc != NULL)
 		*pwc = wc;
 	es->want = 0;
>Release-Note:
>Audit-Trail:
>Unformatted:
